General
-
Target
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
-
Size
348KB
-
Sample
221128-crvcwscd8v
-
MD5
655198dde4fca3eeb54780d117615f8f
-
SHA1
bfa972be17c752b0954a557122fc595fbc59364e
-
SHA256
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
-
SHA512
6ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
SSDEEP
6144:JX3ZVxStIm3Ap/d2ntk16SuDnAeaUhHkl8mRubynhwjo1lFolwMyy:JYa9AW16ljFHCqjW2wMn
Static task
static1
Behavioral task
behavioral1
Sample
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\how_recover+rrh.txt
http://vrd463xcepsd12cd.crsoftware745.com/5FA25D1D04F6D28
http://vr6g2curb2kcidou.expay34.com/5FA25D1D04F6D28
http://tsbfdsv.extr6mchf.com/5FA25D1D04F6D28
https://o7zeip6us33igmgw.onion.to/5FA25D1D04F6D28
http://o7zeip6us33igmgw.onion/5FA25D1D04F6D28
Extracted
C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\how_recover+whv.txt
http://vrd463xcepsd12cd.crsoftware745.com/ABCACC4ECE384311
http://vr6g2curb2kcidou.expay34.com/ABCACC4ECE384311
http://tsbfdsv.extr6mchf.com/ABCACC4ECE384311
https://o7zeip6us33igmgw.onion.to/ABCACC4ECE384311
http://o7zeip6us33igmgw.onion/ABCACC4ECE384311
Targets
-
-
Target
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
-
Size
348KB
-
MD5
655198dde4fca3eeb54780d117615f8f
-
SHA1
bfa972be17c752b0954a557122fc595fbc59364e
-
SHA256
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
-
SHA512
6ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
SSDEEP
6144:JX3ZVxStIm3Ap/d2ntk16SuDnAeaUhHkl8mRubynhwjo1lFolwMyy:JYa9AW16ljFHCqjW2wMn
Score10/10-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-